List of Microsoft Azure automation permissions for use during Cortex XDR onboarding to enable continuous monitoring in your cloud environment.
Notice
Requires a Cortex XDR license that has the Cloud Posture Security or Cloud Runtime Security add-on.
These permissions enable Cortex XDR to execute remediation and response actions across Azure services, including Compute, Storage, SQL, Networking, Key Vault, Container Registry, App Service, and Cosmos DB. Each permission is scoped to the subscription level and mapped to the specific pack command that requires it.
Note
Unified Cortex platform cloud content packs require a specific set of automation permissions to enable full integration with your cloud environment. Before configuring access for these packs, review the automation permission scope guidelines.
Permission | Permission Details | Scope | Justification |
|---|---|---|---|
Microsoft.Authorization/policyAssignments/read | Core foundational permission? True Capability: AUTOMATION, DISCOVERY Role definition: Automation-{suffix}, automationRole-{suffix} Cloud environment: Commercial Provisioning method: Terraform | Onboarding scope: ACCOUNT, ACCOUNT_GROUP, ORGANIZATION Resource access constraint: All resources within the Azure subscription | Read the configuration of Microsoft Defender for Cloud policy assignments. Cortex uses this to assess the current compliance posture and identify policy gaps that may require automated remediation. This read-only access supports security monitoring without modifying any policy configurations. |
Microsoft.Authorization/policyAssignments/write | Core foundational permission? True Capability: AUTOMATION, DISCOVERY Role definition: Automation-{suffix}, automationRole-{suffix} Cloud environment: Commercial Provisioning method: Terraform | Onboarding scope: ACCOUNT, ACCOUNT_GROUP, ORGANIZATION Resource access constraint: All resources within the Azure subscription | Apply Microsoft Defender for Cloud policy assignments to enable security configurations monitoring. Cortex uses this to remediate issues detected by the "Azure Microsoft Defender for Cloud security configurations monitoring is set to disabled" rule. This automated remediation ensures that security monitoring remains active across the environment. |
Microsoft.Compute/disks/read | Core foundational permission? True Capability: ADS, AUTOMATION, DISCOVERY Role definition: Automation-{suffix}, automationRole-{suffix} Cloud environment: Commercial Provisioning method: Terraform | Onboarding scope: ACCOUNT, ACCOUNT_GROUP, ORGANIZATION Resource access constraint: All resources within the Azure management group hierarchy | Read managed disk configurations and properties. Cortex uses this to inventory disks and assess their security configurations for agentless disk scanning, including identifying disks that require security analysis. |
Microsoft.Compute/disks/write | Core foundational permission? False Capability: ADS, AUTOMATION Role definition: Automation-{suffix}, automationRole-{suffix} Cloud environment: Commercial Provisioning method: Terraform | Onboarding scope: ACCOUNT, ACCOUNT_GROUP, ORGANIZATION Resource access constraint: Resource groups starting with the prefix cortex- | Create managed disks from snapshots for agentless scanning. Cortex uses this to create temporary disk copies that are attached to scanner VMs for security analysis, without affecting production workloads. These temporary disks are cleaned up after scanning completes. |
Microsoft.Compute/virtualMachines/powerOff/action | Core foundational permission? False Capability: AUTOMATION Role definition: Automation-{suffix}, automationRole-{suffix} Cloud environment: Commercial Provisioning method: Terraform | Onboarding scope: ACCOUNT, ACCOUNT_GROUP, ORGANIZATION Resource access constraint: All resources within the Azure subscription | Power off an existing Azure Virtual Machine to change its state from Running to Stopped or Deallocated. Cortex uses this for automated incident response such as isolating compromised virtual machines and to stop incurring compute charges without deleting the resource. Required for command: azure-vm-instance-power-off. |
Microsoft.Compute/virtualMachines/read | Core foundational permission? True Capability: ADS, AUTOMATION, DISCOVERY Role definition: Automation-{suffix}, automationRole-{suffix} Cloud environment: Commercial Provisioning method: Terraform | Onboarding scope: ACCOUNT, ACCOUNT_GROUP, ORGANIZATION Resource access constraint: All resources within the Azure subscription | Enable reading VM configurations. Cortex uses this to inventory virtual machines and identify those requiring security scanning. |
Microsoft.Compute/virtualMachines/start/action | Core foundational permission? False Capability: AUTOMATION Role definition: Automation-{suffix}, automationRole-{suffix} Cloud environment: Commercial Provisioning method: Terraform | Onboarding scope: ACCOUNT, ACCOUNT_GROUP, ORGANIZATION Resource access constraint: All resources within the Azure subscription | Power on an existing Azure Virtual Machine to change its state from Stopped to Running. Cortex uses this for automation workflows involving VM lifecycle management and enabling authorized operators to restore service availability. Required for command: azure-vm-instance-start. |
Microsoft.Consumption/budgets/read | Core foundational permission? False Capability: AUTOMATION Role definition: Automation-{suffix}, automationRole-{suffix} Cloud environment: Commercial Provisioning method: Terraform | Onboarding scope: ACCOUNT, ACCOUNT_GROUP, ORGANIZATION Resource access constraint: All resources within the Azure subscription | Read the configuration and current status of established Azure budgets. Cortex uses this for cost monitoring and alerting capabilities, helping maintain visibility into cloud spending patterns. This read-only access does not modify any budget configurations. |
Microsoft.Consumption/usageDetails/read | Core foundational permission? False Capability: AUTOMATION Role definition: Automation-{suffix}, automationRole-{suffix} Cloud environment: Commercial Provisioning method: Terraform | Onboarding scope: ACCOUNT, ACCOUNT_GROUP, ORGANIZATION Resource access constraint: All resources within the Azure subscription | Read detailed usage information for Azure resources including costs and quantity consumed. Cortex uses this for cloud cost analysis and optimization recommendations, providing visibility into resource consumption patterns. This read-only access supports financial governance without modifying any usage data. |
Microsoft.ContainerRegistry/registries/read | Core foundational permission? True Capability: AUTOMATION, DISCOVERY, REGISTRY_SCAN Role definition: Automation-{suffix}, automationRole-{suffix} Cloud environment: Commercial Provisioning method: Terraform | Onboarding scope: ACCOUNT, ACCOUNT_GROUP, ORGANIZATION Resource access constraint: All resources within the Azure subscription | Read the configuration and properties of Azure Container Registry (ACR) instances. Cortex uses this to assess container registry security settings such as export configurations as part of automation workflows. This read-only access does not modify any registry resources. |
Microsoft.ContainerRegistry/registries/write | Core foundational permission? False Capability: AUTOMATION Role definition: Automation-{suffix}, automationRole-{suffix} Cloud environment: Commercial Provisioning method: Terraform | Onboarding scope: ACCOUNT, ACCOUNT_GROUP, ORGANIZATION Resource access constraint: All resources within the Azure subscription | Update the Azure Container Registry (ACR) configuration to disable exports. Cortex uses this to remediate issues detected by the "Azure Container Registry with exports enabled" rule. This automated remediation helps prevent unauthorized data exfiltration through container registry exports. |
Microsoft.CostManagement/forecast/read | Core foundational permission? False Capability: AUTOMATION Role definition: Automation-{suffix}, automationRole-{suffix} Cloud environment: Commercial Provisioning method: Terraform | Onboarding scope: ACCOUNT, ACCOUNT_GROUP, ORGANIZATION Resource access constraint: All resources within the Azure subscription | Read predictive forecasts and historical trends for future Azure costs. Cortex uses this to provide predictive cost insights for cloud management, helping organizations plan budgets and identify potential cost anomalies. This read-only access does not modify any cost management data. |
Microsoft.DBforMySQL/flexibleServers/configurations/read | Core foundational permission? True Capability: AUTOMATION, DISCOVERY Role definition: Automation-{suffix}, automationRole-{suffix} Cloud environment: Commercial Provisioning method: Terraform | Onboarding scope: ACCOUNT, ACCOUNT_GROUP, ORGANIZATION Resource access constraint: All resources within the Azure subscription | Read the configuration settings of Azure MySQL flexible servers. Cortex uses this to assess database security settings such as SSL enforcement configurations as part of automation workflows. This read-only access does not modify any database configurations. |
Microsoft.DBforMySQL/flexibleServers/configurations/write | Core foundational permission? False Capability: AUTOMATION Role definition: Automation-{suffix}, automationRole-{suffix} Cloud environment: Commercial Provisioning method: Terraform | Onboarding scope: ACCOUNT, ACCOUNT_GROUP, ORGANIZATION Resource access constraint: All resources within the Azure subscription | Update the Azure MySQL flexible server configuration to enforce SSL connections. Cortex uses this to remediate issues detected by the "Azure MySQL database flexible server SSL enforcement is disabled" rule. This automated remediation ensures encrypted database connections, protecting data in transit. |
Microsoft.DBforPostgreSQL/servers/configurations/read | Core foundational permission? True Capability: AUTOMATION, DISCOVERY Role definition: Automation-{suffix}, automationRole-{suffix} Cloud environment: Commercial Provisioning method: Terraform | Onboarding scope: ACCOUNT, ACCOUNT_GROUP, ORGANIZATION Resource access constraint: All resources within the Azure subscription | Read the configuration settings of Azure PostgreSQL servers. Cortex uses this to assess database security settings such as connection throttling parameters as part of automation workflows. This read-only access does not modify any database configurations. |
Microsoft.DBforPostgreSQL/servers/configurations/write | Core foundational permission? False Capability: AUTOMATION Role definition: Automation-{suffix}, automationRole-{suffix} Cloud environment: Commercial Provisioning method: Terraform | Onboarding scope: ACCOUNT, ACCOUNT_GROUP, ORGANIZATION Resource access constraint: All resources within the Azure subscription | Update Azure PostgreSQL server configurations to enable the connection throttling parameter. Cortex uses this to remediate issues detected by the "Azure PostgreSQL database server with connection throttling parameter is disabled" rule. This automated remediation helps protect databases from brute-force attacks and connection flooding. |
Microsoft.DBforPostgreSQL/servers/read | Core foundational permission? True Capability: AUTOMATION, DISCOVERY Role definition: Automation-{suffix}, automationRole-{suffix} Cloud environment: Commercial Provisioning method: Terraform | Onboarding scope: ACCOUNT, ACCOUNT_GROUP, ORGANIZATION Resource access constraint: All resources within the Azure subscription | Read the configuration and properties of Azure PostgreSQL servers. Cortex uses this to inventory databases and assess their security configurations such as SSL connection settings as part of automation workflows. This read-only access does not modify any server resources. |
Microsoft.DBforPostgreSQL/servers/write | Core foundational permission? False Capability: AUTOMATION Role definition: Automation-{suffix}, automationRole-{suffix} Cloud environment: Commercial Provisioning method: Terraform | Onboarding scope: ACCOUNT, ACCOUNT_GROUP, ORGANIZATION Resource access constraint: All resources within the Azure subscription | Update the Azure PostgreSQL server configuration to enable the SSL connection feature. Cortex uses this to remediate issues detected by the "Azure PostgreSQL database server with SSL connection disabled" rule. This automated remediation ensures encrypted connections to the database, protecting data in transit. |
Microsoft.DocumentDB/databaseAccounts/read | Core foundational permission? True Capability: AUTOMATION, DISCOVERY Role definition: Automation-{suffix}, automationRole-{suffix} Cloud environment: Commercial Provisioning method: Terraform | Onboarding scope: ACCOUNT, ACCOUNT_GROUP, ORGANIZATION Resource access constraint: All resources within the Azure subscription | Read the configuration and properties of Azure Cosmos DB database accounts. Cortex uses this to assess NoSQL database security settings such as key-based authentication configurations as part of automation workflows. This read-only access does not modify any database resources. |
Microsoft.DocumentDB/databaseAccounts/write | Core foundational permission? False Capability: AUTOMATION Role definition: Automation-{suffix}, automationRole-{suffix} Cloud environment: Commercial Provisioning method: Terraform | Onboarding scope: ACCOUNT, ACCOUNT_GROUP, ORGANIZATION Resource access constraint: All resources within the Azure subscription | Modify Azure Cosmos DB accounts to disable key-based metadata write authentication. Cortex uses this to remediate issues detected by the "Azure Cosmos DB key based authentication is enabled" rule. This automated remediation strengthens database security by enforcing Azure Active Directory authentication instead of key-based access. |
Microsoft.Insights/logprofiles/read | Core foundational permission? False Capability: AUTOMATION Role definition: Automation-{suffix}, automationRole-{suffix} Cloud environment: Commercial Provisioning method: Terraform | Onboarding scope: ACCOUNT, ACCOUNT_GROUP, ORGANIZATION Resource access constraint: All resources within the Azure subscription | Read the configuration of Azure Activity Log profiles. Cortex uses this to assess audit logging coverage and verify that activity log retention periods meet security requirements. This read-only access does not modify any log profile configurations. |
Microsoft.Insights/logprofiles/write | Core foundational permission? False Capability: AUTOMATION Role definition: Automation-{suffix}, automationRole-{suffix} Cloud environment: Commercial Provisioning method: Terraform | Onboarding scope: ACCOUNT, ACCOUNT_GROUP, ORGANIZATION Resource access constraint: All resources within the Azure subscription | Set the Azure Activity Log retention period to 365 days or more. Cortex uses this to remediate issues detected by the "Azure Activity Log retention should not be set to less than 365 days" rule. This automated remediation ensures adequate audit trail retention for compliance and forensic investigation purposes. |
Microsoft.KeyVault/vaults/read | Core foundational permission? True Capability: AUTOMATION, DISCOVERY Role definition: Automation-{suffix}, automationRole-{suffix} Cloud environment: Commercial Provisioning method: Terraform | Onboarding scope: ACCOUNT, ACCOUNT_GROUP, ORGANIZATION Resource access constraint: All resources within the Azure subscription | Read the configuration and properties of Azure Key Vaults. Cortex uses this to assess key management security settings such as recoverability configurations as part of automation workflows. This read-only access does not modify any Key Vault resources. |
Microsoft.KeyVault/vaults/write | Core foundational permission? False Capability: AUTOMATION Role definition: Automation-{suffix}, automationRole-{suffix} Cloud environment: Commercial Provisioning method: Terraform | Onboarding scope: ACCOUNT, ACCOUNT_GROUP, ORGANIZATION Resource access constraint: All resources within the Azure subscription | Modify Azure Key Vault configurations to ensure recoverability by enabling soft-delete and purge protection. Cortex uses this to remediate issues detected by the "Azure Key Vault is not recoverable" rule. This automated remediation protects against accidental or malicious deletion of cryptographic keys and secrets. |
Microsoft.Network/loadBalancers/backendAddressPools/join/action | Core foundational permission? False Capability: AUTOMATION Role definition: Automation-{suffix}, automationRole-{suffix} Cloud environment: Commercial Provisioning method: Terraform | Onboarding scope: ACCOUNT, ACCOUNT_GROUP, ORGANIZATION Resource access constraint: N/A | Join a load balancer backend address pool. Cortex uses this permission to configure network interfaces during automated remediation, invoked only when a security policy violation is detected. |
Microsoft.Network/networkInterfaces/read | Core foundational permission? True Capability: AUTOMATION, DISCOVERY Role definition: Automation-{suffix}, automationRole-{suffix} Cloud environment: Commercial Provisioning method: Terraform | Onboarding scope: ACCOUNT, ACCOUNT_GROUP, ORGANIZATION Resource access constraint: All resources within the Azure subscription | Read the list of Network Security Group (NSG) interfaces and their configurations. Cortex uses this to assess network security settings and identify resources associated with specific NSGs as part of automation workflows. Required for command: azure-nsg-network-interfaces-list. |
Microsoft.Network/networkInterfaces/write | Core foundational permission? False Capability: AUTOMATION Role definition: Automation-{suffix}, automationRole-{suffix} Cloud environment: Commercial Provisioning method: Terraform | Onboarding scope: ACCOUNT, ACCOUNT_GROUP, ORGANIZATION Resource access constraint: N/A | Create or update network interface configurations. Cortex uses this permission to modify network settings during automated remediation, invoked only when a security policy violation is detected. |
Microsoft.Network/networkSecurityGroups/join/action | Core foundational permission? False Capability: AUTOMATION, DSPM Role definition: Automation-{suffix}, automationRole-{suffix} Cloud environment: Commercial Provisioning method: Terraform | Onboarding scope: ACCOUNT, ACCOUNT_GROUP, ORGANIZATION Resource access constraint: Resource groups starting with the prefix cortex- | Associate network security groups with subnets or network interfaces within Cortex-managed resource groups. Cortex uses this to apply network access controls to scanning infrastructure, ensuring secure and isolated communication for data classification operations. |
Microsoft.Network/networkSecurityGroups/read | Core foundational permission? True Capability: AUTOMATION, DISCOVERY Role definition: Automation-{suffix}, automationRole-{suffix} Cloud environment: Commercial Provisioning method: Terraform | Onboarding scope: ACCOUNT, ACCOUNT_GROUP, ORGANIZATION Resource access constraint: All resources within the Azure subscription | Read the list and configurations of Network Security Groups (NSGs). Cortex uses this to assess network security posture and identify NSGs that may require remediation. Required for command: azure-nsg-security-groups-list. |
Microsoft.Network/networkSecurityGroups/securityRules/delete | Core foundational permission? False Capability: AUTOMATION, DSPM Role definition: Automation-{suffix}, automationRole-{suffix} Cloud environment: Commercial Provisioning method: Terraform | Onboarding scope: ACCOUNT, ACCOUNT_GROUP, ORGANIZATION Resource access constraint: All resources within the Azure subscription | Delete a Network Security Group (NSG) rule to stop overly permissive outbound traffic. Cortex uses this to remediate issues detected by the "Azure Network Security Group with overly permissive outbound rule" rule. This automated remediation tightens network security by removing rules that allow excessive access. Required for command: azure-nsg-security-rule-delete. |
Microsoft.Network/networkSecurityGroups/securityRules/read | Core foundational permission? True Capability: AUTOMATION, DISCOVERY Role definition: Automation-{suffix}, automationRole-{suffix} Cloud environment: Commercial Provisioning method: Terraform | Onboarding scope: ACCOUNT, ACCOUNT_GROUP, ORGANIZATION Resource access constraint: All resources within the Azure subscription | Read the configuration of Network Security Group (NSG) rules to assess traffic permissions. Cortex uses this to evaluate whether NSG rules are overly permissive and to determine if remediation is needed. Required for command: azure-nsg-security-rule-get. |
Microsoft.Network/networkSecurityGroups/securityRules/write | Core foundational permission? False Capability: AUTOMATION, DSPM Role definition: Automation-{suffix}, automationRole-{suffix} Cloud environment: Commercial Provisioning method: Terraform | Onboarding scope: ACCOUNT, ACCOUNT_GROUP, ORGANIZATION Resource access constraint: All resources within the Azure subscription | Modify or creates Network Security Group (NSG) rules to stop overly permissive outbound traffic. Cortex uses this to remediate issues detected by the "Azure Network Security Group with overly permissive outbound rule" rule. This automated remediation restricts network access to only what is necessary. Required for command: azure-nsg-security-rule-create. |
Microsoft.Network/networkSecurityGroups/write | Core foundational permission? False Capability: AUTOMATION, DSPM Role definition: Automation-{suffix}, automationRole-{suffix} Cloud environment: Commercial Provisioning method: Terraform | Onboarding scope: ACCOUNT, ACCOUNT_GROUP, ORGANIZATION Resource access constraint: Resource groups starting with the prefix cortex- | Create or updates network security groups within Cortex-managed resource groups. Cortex uses this to configure network access controls for scanning infrastructure, ensuring that only authorized traffic flows between scanning components. |
Microsoft.Network/publicIPAddresses/join/action | Core foundational permission? False Capability: AUTOMATION Role definition: Automation-{suffix}, automationRole-{suffix} Cloud environment: Commercial Provisioning method: Terraform | Onboarding scope: ACCOUNT, ACCOUNT_GROUP, ORGANIZATION Resource access constraint: N/A | Associate a public IP address with a network resource. Cortex uses this permission to manage public IP associations during automated remediation, invoked only when a security policy violation is detected. |
Microsoft.Network/publicIPAddresses/read | Core foundational permission? True Capability: AUTOMATION, DISCOVERY Role definition: Automation-{suffix}, automationRole-{suffix} Cloud environment: Commercial Provisioning method: Terraform | Onboarding scope: ACCOUNT, ACCOUNT_GROUP, ORGANIZATION Resource access constraint: All resources within the Azure subscription | Read and lists Network Security Group (NSG) and VM public IP addresses and their details. Cortex uses this to identify externally exposed resources and assess their security posture as part of automation workflows. Required for commands: azure-nsg-public-ip-addresses-list and azure-vm-public-ip-details-get. |
Microsoft.Network/virtualNetworks/subnets/join/action | Core foundational permission? False Capability: AUTOMATION, DSPM Role definition: Automation-{suffix}, automationRole-{suffix} Cloud environment: Commercial Provisioning method: Terraform | Onboarding scope: ACCOUNT, ACCOUNT_GROUP, ORGANIZATION Resource access constraint: Resource groups starting with the prefix cortex- | Associate subnets with resources within Cortex-managed resource groups. Cortex uses this to connect scanning VMs and database resources to the appropriate network segments for secure data classification operations. |
Microsoft.Resources/subscriptions/read | Core foundational permission? True Capability: AUTOMATION, DISCOVERY Role definition: Automation-{suffix}, automationRole-{suffix} Cloud environment: Commercial Provisioning method: Terraform | Onboarding scope: ACCOUNT, ACCOUNT_GROUP, ORGANIZATION Resource access constraint: All resources within the Azure subscription | Read the status and details of Azure subscriptions. Cortex uses this to understand the Azure environment structure and enumerate available subscriptions for automation workflows. Required for command: azure-nsg-subscriptions-list. |
Microsoft.Resources/subscriptions/resourceGroups/read | Core foundational permission? True Capability: AUTOMATION, DISCOVERY Role definition: Automation-{suffix}, automationRole-{suffix} Cloud environment: Commercial Provisioning method: Terraform | Onboarding scope: ACCOUNT, ACCOUNT_GROUP, ORGANIZATION Resource access constraint: All resources within the Azure subscription | Read the status and details of resource groups within a subscription. Cortex uses this to inventory Azure resources and understand the organizational structure of the environment. Required for command: azure-nsg-resource-group-list. |
Microsoft.Sql/servers/databases/securityAlertPolicies/read | Core foundational permission? True Capability: AUTOMATION, DISCOVERY Role definition: Automation-{suffix}, automationRole-{suffix} Cloud environment: Commercial Provisioning method: Terraform | Onboarding scope: ACCOUNT, ACCOUNT_GROUP, ORGANIZATION Resource access constraint: All resources within the Azure subscription | Read the security alert policy configuration for Azure SQL Databases. Cortex uses this to assess database threat detection configurations and determine whether email notifications for Threat Detection are properly enabled. This read-only access does not modify any security alert policies. |
Microsoft.Sql/servers/databases/securityAlertPolicies/write | Core foundational permission? False Capability: AUTOMATION Role definition: Automation-{suffix}, automationRole-{suffix} Cloud environment: Commercial Provisioning method: Terraform | Onboarding scope: ACCOUNT, ACCOUNT_GROUP, ORGANIZATION Resource access constraint: All resources within the Azure subscription | Update the security alert policy for Azure SQL Databases to enable email notifications for Threat Detection. Cortex uses this to remediate issues detected by the "Azure SQL Databases with disabled Email service and co-administrators for Threat Detection" rule. This automated remediation ensures that security alerts are properly communicated to administrators. |
Microsoft.Sql/servers/databases/transparentDataEncryption/read | Core foundational permission? True Capability: AUTOMATION, DISCOVERY Role definition: Automation-{suffix}, automationRole-{suffix} Cloud environment: Commercial Provisioning method: Terraform | Onboarding scope: ACCOUNT, ACCOUNT_GROUP, ORGANIZATION Resource access constraint: All resources within the Azure subscription | Read the Transparent Data Encryption (TDE) status for Azure SQL databases. Cortex uses this to assess database encryption posture and determine whether TDE is properly enabled. This read-only access does not modify any encryption settings. |
Microsoft.Sql/servers/databases/transparentDataEncryption/write | Core foundational permission? False Capability: AUTOMATION Role definition: Automation-{suffix}, automationRole-{suffix} Cloud environment: Commercial Provisioning method: Terraform | Onboarding scope: ACCOUNT, ACCOUNT_GROUP, ORGANIZATION Resource access constraint: All resources within the Azure subscription | Enable Transparent Data Encryption (TDE) on Azure SQL databases. Cortex uses this to remediate issues detected by the "Azure SQL database Transparent Data Encryption (TDE) encryption disabled" rule. This automated remediation ensures that data at rest is encrypted, protecting sensitive information stored in the database. |
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read | Core foundational permission? False Capability: AUTOMATION, DSPM Role definition: Automation-{suffix}, automationRole-{suffix} Cloud environment: Commercial Provisioning method: ARM Template | Onboarding scope: ACCOUNT Resource access constraint: All resources within the Azure subscription | Read blob data stored in Azure Storage containers. Cortex uses this for data classification and sensitive data discovery in blob storage, enabling environment-wide identification of personally identifiable information (PII) and other sensitive data. This access is essential for comprehensive data security posture management. |
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/read | Core foundational permission? False Capability: AUTOMATION Role definition: Automation-{suffix}, automationRole-{suffix} Cloud environment: Commercial Provisioning method: ARM Template | Onboarding scope: ACCOUNT Resource access constraint: N/A | Read blob index tags on storage account blobs. Cortex uses this permission to evaluate blob classification metadata during automated remediation assessment. |
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write | Core foundational permission? False Capability: AUTOMATION Role definition: Automation-{suffix}, automationRole-{suffix} Cloud environment: Commercial Provisioning method: ARM Template | Onboarding scope: ACCOUNT Resource access constraint: N/A | Write blob index tags on storage account blobs. Cortex uses this permission to apply security classification tags during automated remediation, invoked only when a security policy violation is detected. |
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write | Core foundational permission? False Capability: AUTOMATION Role definition: Automation-{suffix}, automationRole-{suffix} Cloud environment: Commercial Provisioning method: ARM Template | Onboarding scope: ACCOUNT Resource access constraint: N/A | Write blob data to storage account containers. Cortex uses this permission to update storage configurations during automated remediation, invoked only when a security policy violation is detected. |
Microsoft.Storage/storageAccounts/blobServices/containers/delete | Core foundational permission? False Capability: AUTOMATION Role definition: Automation-{suffix}, automationRole-{suffix} Cloud environment: Commercial Provisioning method: Terraform | Onboarding scope: ACCOUNT, ACCOUNT_GROUP, ORGANIZATION Resource access constraint: All resources within the Azure subscription | Delete Azure Storage account blob service containers. Cortex uses this for automated cleanup of misconfigured storage containers as part of remediation workflows. Required for command: azure-storage-container-delete. |
Microsoft.Storage/storageAccounts/blobServices/containers/read | Core foundational permission? True Capability: AUTOMATION, DISCOVERY, DSPM Role definition: Automation-{suffix}, automationRole-{suffix} Cloud environment: Commercial Provisioning method: Terraform | Onboarding scope: ACCOUNT, ACCOUNT_GROUP, ORGANIZATION Resource access constraint: All resources within the Azure subscription | Read the configuration of Azure Storage account blob service containers. Cortex uses this to assess storage security settings and container properties as part of automation workflows. Required for command: azure-storage-container-property-get. |
Microsoft.Storage/storageAccounts/blobServices/containers/setAcl/action | Core foundational permission? False Capability: AUTOMATION Role definition: Automation-{suffix}, automationRole-{suffix} Cloud environment: Commercial Provisioning method: Terraform | Onboarding scope: ACCOUNT, ACCOUNT_GROUP, ORGANIZATION Resource access constraint: All resources within the Azure subscription | Set or modifies the access control list (ACL) for folders or files within a storage container. Cortex uses this for automated remediation of storage access configurations, ensuring that container permissions align with security best practices. |
Microsoft.Storage/storageAccounts/blobServices/containers/write | Core foundational permission? False Capability: AUTOMATION Role definition: Automation-{suffix}, automationRole-{suffix} Cloud environment: Commercial Provisioning method: Terraform | Onboarding scope: ACCOUNT, ACCOUNT_GROUP, ORGANIZATION Resource access constraint: All resources within the Azure subscription | Modify Azure Storage account blob service container configurations. Cortex uses this for automated storage security remediation, enabling updates to container properties and access settings. Required for command: azure-storage-blob-containers-update. |
Microsoft.Storage/storageAccounts/blobServices/read | Core foundational permission? True Capability: AUTOMATION, DISCOVERY Role definition: Automation-{suffix}, automationRole-{suffix} Cloud environment: Commercial Provisioning method: Terraform | Onboarding scope: ACCOUNT, ACCOUNT_GROUP, ORGANIZATION Resource access constraint: All resources within the Azure subscription | Read the configuration of Azure Storage account blob services. Cortex uses this to assess storage security posture, including soft delete settings, as part of automation workflows. Required for command: azure-storage-blob-service-properties-get. |
Microsoft.Storage/storageAccounts/blobServices/write | Core foundational permission? False Capability: AUTOMATION Role definition: Automation-{suffix}, automationRole-{suffix} Cloud environment: Commercial Provisioning method: Terraform | Onboarding scope: ACCOUNT, ACCOUNT_GROUP, ORGANIZATION Resource access constraint: All resources within the Azure subscription | Enable soft delete functionality on Azure Storage account blob services. Cortex uses this to remediate issues detected by the "Azure Storage account soft delete is disabled" rule. This automated remediation ensures that deleted blobs can be recovered, protecting against accidental or malicious data loss. |
Microsoft.Storage/storageAccounts/read | Core foundational permission? True Capability: AUTOMATION, DISCOVERY, DSPM Role definition: Automation-{suffix}, automationRole-{suffix} Cloud environment: Commercial Provisioning method: Terraform | Onboarding scope: ACCOUNT, ACCOUNT_GROUP, ORGANIZATION Resource access constraint: All resources within the Azure subscription | Read the configuration and properties of Azure Storage Accounts. Cortex uses this to inventory storage resources and assess their security configurations, such as trusted Microsoft services access settings, as part of automation workflows. This read-only access does not modify any storage account resources. |
Microsoft.Storage/storageAccounts/write | Core foundational permission? False Capability: AUTOMATION Role definition: Automation-{suffix}, automationRole-{suffix} Cloud environment: Commercial Provisioning method: Terraform | Onboarding scope: ACCOUNT, ACCOUNT_GROUP, ORGANIZATION Resource access constraint: All resources within the Azure subscription | Enable access for trusted Microsoft services on Azure Storage Accounts. Cortex uses this to remediate issues detected by the "Azure Storage Account 'Trusted Microsoft Services' access not enabled" rule. This automated remediation ensures that essential Azure services can securely access storage resources. |
Microsoft.Web/sites/config/read | Core foundational permission? True Capability: AUTOMATION, DISCOVERY Role definition: Automation-{suffix}, automationRole-{suffix} Cloud environment: Commercial Provisioning method: Terraform | Onboarding scope: ACCOUNT, ACCOUNT_GROUP, ORGANIZATION Resource access constraint: All resources within the Azure subscription | Read the configuration settings of Azure App Service Web apps. Cortex uses this to assess web application security settings such as HTTP version and HTTPS enforcement as part of automation workflows. This read-only access does not modify any App Service configurations. |
Microsoft.Web/sites/config/write | Core foundational permission? False Capability: AUTOMATION Role definition: Automation-{suffix}, automationRole-{suffix} Cloud environment: Commercial Provisioning method: Terraform | Onboarding scope: ACCOUNT, ACCOUNT_GROUP, ORGANIZATION Resource access constraint: All resources within the Azure subscription | Set the HTTP version to 2.0 within the Azure App Service Web app configuration. Cortex uses this to remediate issues detected by the "Azure App Service Web app doesn't use HTTP 2.0" rule. This automated remediation ensures that web applications use the latest HTTP protocol for improved performance and security. |
Microsoft.Web/sites/read | Core foundational permission? False Capability: AUTOMATION, SERVERLESS_SCAN Role definition: Automation-{suffix}, automationRole-{suffix} Cloud environment: Commercial Provisioning method: Terraform | Onboarding scope: ACCOUNT, ACCOUNT_GROUP, ORGANIZATION Resource access constraint: All resources within the Azure subscription | Read the status and properties of Azure App Service Web apps. Cortex uses this to inventory web applications and assess their security configurations such as HTTPS enforcement as part of automation workflows. This read-only access does not modify any App Service resources. |
Microsoft.Web/sites/write | Core foundational permission? False Capability: AUTOMATION Role definition: Automation-{suffix}, automationRole-{suffix} Cloud environment: Commercial Provisioning method: Terraform | Onboarding scope: ACCOUNT, ACCOUNT_GROUP, ORGANIZATION Resource access constraint: All resources within the Azure subscription | Set the HTTPS-only feature for Azure App Service Web apps to enforce redirection from HTTP to HTTPS. Cortex uses this to remediate issues detected by the "Azure App Service Web app doesn't redirect HTTP to HTTPS" rule. This automated remediation ensures that all web traffic is encrypted in transit. Required for command: azure-webapp-update. |